Social Security Number Fraud Prevention Act Requirements

• Published date: 12 April 2024
• Record Number: 2024-07750
• Citation: 89 FR 25749
• Court: Personnel Management Office
• Section: Rules and Regulations

This section of the FEDERAL REGISTER

contains regulatory documents having general

applicability and legal effect, most of which

are keyed to and codified in the Code of

Federal Regulations, which is published under

50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by

the Superintendent of Documents.

Rules and Regulations Federal Register

25749

Vol. 89, No. 72

Friday, April 12, 2024

OFFICE OF PERSONNEL

MANAGEMENT

5 CFR Part 297

[Docket ID: OPM–2023–0035]

RIN 3206–AO16

Social Security Number Fraud

Prevention Act Requirements

AGENCY

: Office of Personnel

Management.

ACTION

: Direct final rule.

SUMMARY

: The Office of Personnel

Management (OPM) is publishing this

direct final rule to implement the

requirements of the Social Security

Number Fraud Prevention Act of 2017

(Act). In accordance with the Act, OPM

is amending its privacy procedures to

prohibit the inclusion of Social Security

numbers (SSNs) on any document sent

through the mail unless the Director of

OPM deems it necessary. This rule also

establishes requirements for

safeguarding SSNs sent through the mail

by partially redacting SSNs where

feasible and prohibiting the display of

SSNs on the outside of any package or

envelope sent by mail.

DATES

: This rule is effective on June 26,

2024, without further action unless

significant adverse comments are

received by June 11, 2024. If significant

adverse comments are received, OPM

will withdraw this direct final rule and

publish a proposed rule.

ADDRESSES

: You may submit comments

for this direct final rule using the

following method:

•Federal Rulemaking Portal: https://

www.regulations.gov. Follow the

instructions for sending comments.

All submissions received must

include the agency name and docket

number for this direct final rule. The

general policy for comments and other

submissions from members of the public

is to make these submissions available

for public viewing at https://

www.regulations.gov as they are

received, without change, including any

personal identifiers or contact

information.

FOR FURTHER INFORMATION CONTACT

:

Kirsten J. Moncada, Executive Director,

Office of the Executive Secretariat,

Privacy, and Information Management,

202–936–0251.

SUPPLEMENTARY INFORMATION

: The Social

Security Number Fraud Prevention Act

of 2017, Public Law 115–59, 42 U.S.C.

405 note, restricts the inclusion of SSNs

on documents sent by mail unless the

head of the agency determines that the

inclusion of the SSNs on the documents

is necessary. The Act also directs

agencies to issue regulations that specify

when inclusion of an SSN is necessary

and include requirements for the

safeguarding of SSNs by partially

redacting SSNs where feasible and

prohibiting the display of SSNs on the

outside of any package or envelope sent

by mail.

To implement the Act, OPM is adding

new subpart F, titled ‘‘Protecting Social

Security Numbers in Mailed

Documents,’’ to its privacy procedures

at 5 CFR part 297. The new

requirements in subpart F prohibit the

inclusion of SSNs on any document

OPM program offices send through the

mail unless the Director of OPM, on the

advice of the Senior Agency Official for

Privacy, deems it necessary and

precautions are taken to protect the

SSNs. In addition, subpart F includes

requirements for OPM program offices

to partially redact SSNs where feasible

and specifically prohibits the display of

complete or partial SSNs on the outside

of any package or envelope sent by mail

or through the window of an envelope

or package. Subpart F applies to all

OPM office activities and written or

printed documents OPM sends by mail

that include a complete or partial SSN.

OPM is also amending 5 CFR 297.102

to add the definitions of ‘‘document,’’

and ‘‘mail’’ to make explicit OPM’s

meaning of the terms in this new

subpart F. For the purposes of this rule,

a document is a record of some

information that can be used as an

authority or for reference, further

analyses, or study. This includes all

records OPM maintains and uses to

identify, track, and correspond with

agencies, Federal employees,

contractors, and annuitants, among

others. Mail is defined as artifacts used

to assemble letters and packages that are

sent or delivered by the United States

Postal Service or other commercial letter

or parcel delivery services.

Direct Final Rule Justification

This rule of agency organization,

procedure, or practice is exempt from

the prior public notice and comment

requirements of the Administrative

Procedure Act. See 5 U.S.C.

553(b)(3)(A). This rule will not have any

effect on the rights, obligations, or

interests of any affected parties, as it is

merely procedural and reflects a

statutory requirement that is already in

effect. The rule restricts and safeguards

the inclusion of SSNs in documents that

are mailed to prevent unauthorized

disclosure of SSNs and protect

individual privacy. Accordingly, OPM

for good cause finds that the notice and

comment requirements are unnecessary.

See 5 U.S.C. 553(b)(3)(B).

This rule is also suitable for direct

final rulemaking because it is non-

controversial and consistent with

Federal law and policy regarding the

appropriate handling and protection of

SSNs. The provisions of the rule will be

beneficial to members of the public and

Federal employees because it protects

their personally identifiable

information. Because this non-

substantive rule makes no changes to

the legal obligations or rights of any

affected parties (i.e., reflects a statutory

requirement that is already in effect)

and because it is in the public interest

to have this rule be effective as soon as

possible, OPM does not expect to

receive any significant adverse

comments.

This rule will be effective June 26,

2024, without further action unless

significant adverse comments are

received. A significant adverse comment

is one that explains: (1) why the rule is

inappropriate, including challenges to

the rule’s underlying premise or

approach; or (2) why the direct final

rule will be ineffective or unacceptable

without a change. If such comments are

received, this direct final rule will be

withdrawn and a proposed rule for

comments will be published. If no such

comments are received, this direct final

rule will become effective 15 days after

the comment period expires. In

determining whether a significant

adverse comment necessitates

withdrawal of this direct final rule,

OPM will consider whether the

VerDate Sep<11>2014 15:52 Apr 11, 2024 Jkt 262001 PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 E:\FR\FM\12APR1.SGM 12APR1

lotter on DSK11XQN23PROD with RULES1

25750

Federal Register / Vol. 89, No. 72 / Friday, April 12, 2024 / Rules and Regulations

comment raises an issue serious enough

to warrant a substantive response had it

been submitted in a standard notice and

comment process. A comment

recommending an addition to the rule

will not be considered significant and

adverse unless the comment explains

how this direct final rule would be

ineffective without the addition.

Expected Impact of This Direct Final

Rule

SSNs are used as unique identifiers by

government agencies, businesses, and

other entities. The theft and fraudulent

use of SSNs can result in significant

repercussions for the SSN holder, as

well as the entities from which SSNs

were stolen. This direct final rule

formalizes in regulation OPM’s current

practice of safeguarding SSNs in mailed

documents and will support efforts to

protect individual privacy. In

accordance with the E-Government Act

(2002), OPM currently applies

encryption technology and other

security controls, such as password

protection, to minimize the risk of

unauthorized disclosure of SSNs. OPM

program offices are also required to

conduct proper assessments to

minimize the use of SSNs and the

impact to individual privacy as a result

of their inclusion in any document. This

rule supplements these procedures and

is beneficial because it protects

individual privacy and standardizes

OPM’s procedures for mailing

documents with SSNs. There are no

alternatives to this rule because it is

required by statute.

Regulatory Review

Executive Orders 13563, 12866, and

14094 direct agencies to assess all costs

and benefits of available regulatory

alternatives and, if regulation is

necessary, to select regulatory

approaches that maximize net benefits

(including potential economic,

environmental, public health and safety

effects, distributive impacts, and

equity). The Office of Information and

Regulatory Affairs in the Office of

Management and Budget has

determined this rule is not a ‘‘significant

regulatory action’’ under section 3(f) of

Executive Order 12866, as amended by

Executive Order 14094.

Regulatory Flexibility Act

The Director of OPM certifies that this

rule will not have a significant

economic impact on a substantial

number of small entities because it is a

procedural rule that only applies only to

OPM.

E.O. 13132, Federalism

This rule will not have substantial

direct effects on the States, on the

relationship between the National

Government and the States, or on

distribution of power and

responsibilities among the various

levels of government. Therefore, in

accordance with Executive Order 13132,

OPM has determined that this direct

rule does not have federalism

implications that require preparation of

a federalism summary impact statement.

E.O. 12988, Civil Justice Reform

OPM has determined that this rule

meets the relevant standards of

Executive Order 12988.

Unfunded Mandates Reform Act of 1995

This rule will not result in the

expenditure by State, local, or tribal

governments, or the private sector of

more than $100 million annually. Thus,

no written assessment of unfunded

mandates is required.

Congressional Review Act

Subtitle E of the Small Business

Regulatory Enforcement Fairness Act of

1996 (known as the Congressional

Review Act or CRA) (5 U.S.C. 801, et

seq.) requires rules to be submitted to

Congress before taking effect. OPM will

submit to Congress and the Comptroller

General of the United States a report

regarding the issuance of this rule before

its effective date, as required by 5 U.S.C.

801. The Office of Information and

Regulatory Affairs in the Office of

Management and Budget has

determined that this rule is not a major

rule as defined by the CRA (5 U.S.C.

804).

Paperwork Reduction Act of 1995

This regulatory action will not impose

any reporting or recordkeeping

requirements under the Paperwork

Reduction Act (44 U.S.C. Chapter 35).

List of Subjects in 5 CFR Part 297

Privacy.

Office of Personnel Management.

Kayyonne Marston,

Federal Register Liaison.

For reasons stated in the preamble,

OPM amends 5 CFR part 297 as follows:

PART 297—PRIVACY PROCEDURES

FOR PERSONNEL RECORDS

■1. The authority citation for part 297

is revised to read as follows:

Authority: 5 U.S.C. 552a; Pub. L. 115–59,

113 Stat. 1152 (42 U.S.C. 405 note).

■2. Amend § 297.102 by adding in

alphabetical order the definitions for

‘‘Document’’ and ‘‘Mail’’ to read as

follows:

§ 297.102 Definitions.

* * * * *

Document means a piece of written or

printed matter that provides information

or evidence or that serves as official

record.

Mail means artifacts used to assemble

letters and packages that are sent or

delivered by the United States Postal

Service or other commercial letter or

parcel delivery services.

* * * * *

■3. Add subpart F, consisting of

§§ 297.601 and 297.602, to read as

follows:

Subpart F—Privacy and Social

Security Number Fraud Prevention

Sec.

297.601 Purpose and scope.

297.602 Protecting Social Security numbers

in mailed documents.

§ 297.601 Purpose and scope.

The purpose of this subpart is to

implement the requirements of the

Social Security Number Fraud

Prevention Act of 2017 to limit the use

of Social Security numbers on

documents mailed by the Office of

Personnel and Management (OPM). The

subpart applies to all written or printed

documents that OPM sends by mail that

include a complete or partial Social

Security number.

§ 297.602 Protecting Social Security

numbers in mailed documents.

(a) Social Security numbers must not

be visible on the outside of any package

OPM sends by mail or displayed on

correspondence that is visible through

the window of an envelope or package.

(b) A document OPM sends by mail

may only include a Social Security

number if the Director of OPM

determines, on the advice of the Senior

Agency Official for Privacy, that the

inclusion of a Social Security number

on a document sent by mail is necessary

and appropriate to meet legal and

mission requirements.

(c) The inclusion of a Social Security

number on a document sent by mail is

necessary when—

(1) Required by law; or

(2) Necessary to identify a specific

person and no adequate substitute is

available.

(d) Social Security numbers must be

partially redacted in documents sent by

mail whenever feasible to mitigate any

risks to privacy.

[FR Doc. 2024–07750 Filed 4–11–24; 8:45 am]

BILLING CODE 6325–67–P

VerDate Sep<11>2014 15:52 Apr 11, 2024 Jkt 262001 PO 00000 Frm 00002 Fmt 4700 Sfmt 9990 E:\FR\FM\12APR1.SGM 12APR1

lotter on DSK11XQN23PROD with RULES1